Method and apparatus to permit data transmission to traverse firewalls

ABSTRACT

Currently data transmission over the Internet between two client computers where both client computers are protected by firewalls is problematic, since firewalls block incoming packets. A method is provided for permitting packet based data transmission between a first client computer C 1  protected by a first NAPT or NAT firewall and a second client computer C 2  protected by a second NAPT or NAT firewall to traverse the first and the second firewalls. The method can also be applied to other devices, such as routers, using NAT or NAPT.

RELATED APPLICATION

[0001] This application claims priority from previously filed U.S.provisional patent application serial No. 60/269,357, filed Feb. 20,2001, entitled METHOD AND APPARATUS TO PERMIT REAL-TIME MEDIA DELIVERYTO TRAVERSE FIREWALLS ON A COMPUTER NETWORK.

TECHNICAL FIELD

[0002] The invention relates to the field of data transmission over acomputer network, and more particularly to methods for permitting datatransmissions using packet based transmission protocols to traversefirewalls.

BACKGROUND ART

[0003] Computers connected to wide area networks like the Internet arecommonly protected by firewalls. Firewalls are most commonly used toprotect computers operating on local area networks, but they can also beused to protect individual computers, including servers, which access awide area network. In this application, the term “client computer” willencompass any computer with access to a wide area network, and also aprogram operating on such a computer. Such a computer may, but need not,operate on a local area network, and may perform the functions of aserver on the wide area network.

[0004] Firewalls typically perform a number of functions. They protectinternal computers from outside computers on the wide area network,while allowing internal computers to access the wide area network.Firewalls can also make local network administration more efficient, bypermitting a large number of client computers to share a limited pool ofInternet Protocol (IP) addresses on the wide area network, and byaccommodating changes within the local network without having tore-configure access to the other computers on the wide area network.

[0005] A firewall is typically a program or collection of relatedprograms on a network gateway server which check each network packet todetermine whether to forward it to its destination. To create a barrierbetween an internal computer and the outside wide area network,firewalls commonly use NAT (network address translation) or NAPT(network address and port translation). NAT is the translation of aninternal IP address used by a client computer (and known within theinternal network, if the client computer is operating on one), to adifferent IP address known within the outside wide area network. Thefirewall maps internal IP addresses to one or more global external IPaddresses, and reverse maps the external IP addresses on incomingpackets back into internal IP addresses. NAPT is the translation of bothinternal IP addresses and internal ports to different external IPaddresses and external ports known within the outside network. Firewallsusing NAPT commonly screen incoming packets to make sure that they comefrom a previously identified IP address and port. That is, a requestfrom a particular IP address and port traverses the firewall only if arequest previously went out from the firewall to that IP address andport.

[0006] Data transmission over the Internet has become an everydayoccurrence. Many Internet data transmissions are used to transport audioand/or video data from a live or on-demand streaming server to streamingclients, to provide real-time interactive communication (such as “chat”)between client computers, to transport the contents of web-pages fromweb-servers to web-clients, and for many other types of communicationamong networked programs. Different protocols are used to transmitdifferent types of data. For example, text chat is generally transmittedusing Transmission Control Protocol (TCP), while audio/videoconferencing and live audio/video streaming are generally transmittedusing UDP (User Datagram Protocol). Communications through a serverconnected directly to the Internet (that is, not behind a firewall) arenot generally obstructed by client-side firewalls; the act of logging onto a server generally opens a return path from the server through thefirewall. However, firewalls commonly block direct client-to-client, or“peer-to-peer” communication. One attempted solution is to open certainports in the firewall, but this solution (i) requires modification ofthe firewall settings, which most network administrators are reluctantto do, and (ii) does not work with firewalls that perform any sort ofport translation. The present invention provides a method for permittingpacket based data transmission to traverse firewalls using either NAPTor NAT without altering firewall settings. The invention is disclosed inthe context of a firewall using NAPT, as the more general case. However,the method provided in the invention is equally applicable to a firewallusing NAT, and also to other types of devices, such as routers, usingeither NAPT or NAT.

DISCLOSURE OF INVENTION

[0007] The invention therefore provides a method of transmitting a datapacket from a first computer to a second computer over a wide areacomputer network, a data packet transmitted from the first computerhaving a first source address designating the first computer and a datapacket transmitted from the second computer having a second sourceaddress designating the second computer, wherein the first computer isprotected by a first firewall which translates the first source addressto a first external address when transmitting a data packet from thefirst computer to the wide area network, and the second computer isprotected by a second firewall which translates the second sourceaddress to a second external address when transmitting a data packetfrom the second computer to the wide area network, the first and secondfirewalls communicating over the wide area computer network, the methodusing a designated recipient computer in communication with the firstand second computers via the wide area computer network, said methodcomprising: a) the first and second computers sending first and seconddata packets to the designated recipient computer; b) the designatedrecipient computer communicating the first external address from thefirst data packet to the second computer and communicating the secondexternal address from the second data packet to said first computer; c)the second computer sending a data packet to the first external address;and d) the first computer sending a data packet to said second externaladdress.

[0008] The method further provides for two-way transmission of data byadditionally having the second computer then send a data packet to thefirst external address. The method can be applied to a plurality ofcomputers protected by firewalls communicating over a wide area network.The firewalls may be NAT or NAPT. In particular the method works if theIP address and port are translated at the firewall, or only the IPaddress. The designated recipient computer can be any type of computer,including without limitation a designated server, a peer computerinvolved in the data transmission, or a peer computer not involved inthe data transmission.

[0009] The present invention further provides a computer program productfor carrying out the foregoing method, and a system for transmitting adata packet between two firewall-protected computers over a wide areanetwork.

BRIEF DESCRIPTION OF DRAWINGS

[0010]FIG. 1 is a schematic diagram illustrating a preferred embodimentof the invention; and

[0011]FIG. 2 is a flowchart illustrating a preferred embodiment of theinvention.

BEST MODE(S) FOR CARRYING OUT THE INVENTION

[0012]FIG. 1 schematically illustrates a client computer C1 (12) onlocal area network (14), protected by NAPT firewall FW1 (16), wishing tosend a UDP data stream, such as a live video data stream, over Internet10, to client computer C2 30 (20) on local area network (22), protectedby NAPT firewall FW2 (24). Within this schematic, C1 has internal IPaddress H1, and will use internal port h1 to transmit the UDP datastream. Firewall FW1 translates these into external IP address F1 andexternal port f1 (18). C2 has internal IP address H2, and will useinternal port h2 to receive the UDP data stream. Firewall FW2 willreceive UDP packets destined for C2 at external IP address F2 andexternal port f2 (26). Both C1 and C2 log onto a server S1 (28), whosepurpose is to establish a path to transmit the UDP data stream from C1to C2. However, the UDP data stream is not transmitted through theserver. It is sent client-to-client to take advantage of efficienciesand scalability that can be realized from peer-to-peer communicationover the Internet.

[0013] Peer-to-peer communications are prevented by almost allfirewalls. NAPT firewalls FW1 and FW2 will only permit an incoming UDPpacket to pass if (i) its source and destination addresses match thedestination and source addresses, respectively, of a recent outgoing UDPpacket, and (ii) its source and destination ports match the destinationand source ports, respectively, of a recent outgoing UDP packet. Ifeither C1 or C2 attempts to send a packet to the other, the receiver'sfirewall will block the incoming packet if it does not meet thesecriteria.

[0014] The present invention permits C1 to send a UDP data stream to C2by the following steps:

[0015] (1) C1 sends a UDP packet U1 to server S1. C1 initiates thetransmission from its internal IP address and UDP port (H1:h1). FirewallFW1 translates the IP address and port to F1:f1 at the externalinterface of FW1.

[0016] (2) When S1 receives packet U1 from F1:f1, S1 can identify F1 andf1 as the external IP address and external port from which FW1 will sendthe UDP data stream originating with C1.

[0017] (3) C2 sends a UDP packet U2 to server S1. C2 initiates thetransmission from its internal IP address and UDP port (H2:h2). FirewallFW2 translates the IP address and port to F2:f2 at the externalinterface of FW2.

[0018] (4) When S1 receives packet U2 from F2:f2, S1 can identify F2 andf2 as the external IP address and external port at which FW2 willreceive the UDP data stream to be transmitted from C1 to C2.

[0019] (5) S1 tells C2 that F1:f1 are the external IP address and portfrom which C1 will send the UDP data stream.

[0020] (6) S1 tells C1 that F2:f2 are the external IP address and portto which the UDP data stream destined for C2 should be sent.

[0021] (7) C2 sends a UDP packet U3 to F1:f1, using its internal porth2. Firewall FW2 will send the packet from F2:f2. This packet will beblocked by firewall FW1. However, as described in step (8), it willprompt firewall FW2 to pass subsequent packets sent by C1 destined forC2.

[0022] (8) When C1 subsequently sends a data stream consisting of UDPpackets destined for C2 from its internal port h1, firewall FW1 willsend them from F1:f1 to F2:f2. Because of the packet sent in step (7),firewall FW2 recognizes F1:f1 as an address and port to which it hasrecently sent a packet from F2:f2. Accordingly, it permits packets sentfrom F1:f1 to F2:f2 to pass through the firewall, and forwards them toH2:h2, the internal IP address and port for C2.

[0023] In this way, the invention creates a means by which UDP datastreams originating with C1 pass through to C2. This can be used forstreaming applications, in which C1 sends a live or on-demand datastream to C2. Steps similar to (1) to (8), carried out vice versa, willpermit UDP data streams originating with C2 to pass through firewall F1,to C1. Thus, C1 and C2 can utilize applications which depend on two-waytransmission of UDP data streams, such as video conferencing. Similarsteps carried out by a number of client computers, C1, . . . , CN, willpermit one-to-many, many-to-one, or many-to-many transmission of UDPdata streams through NAPT firewalls.

[0024] For the method to work with a firewall using NAPT, the packetssent in steps (1) and (3) will generally have to be of the same type(i.e. TCP, UDP, etc.) as the type used to transmit the data in step (8).The reason is that many computer applications or firewalls use differentports to transmit and receive different types of data. However, if thatis not the case, the packets sent in steps (1) and (3) need not be ofthe same type as the type used in step (8). In addition, firewall FW1must use the same external IP address and port to send the initialpacket in step (1) as it uses subsequently to commence sending the datato C2 in step (8) (although the method can be adapted to accommodatesubsequent changes in the IP addresses and ports, as described morefully below). This generally happens in practice so long as the softwareat client computer C1 is written to send both transmissions from thesame internal IP address and port, as most firewall programs using NAPTcurrently create one-to-one mappings between internal IP addresses andports and external IP addresses and ports used to send the same type ofpacket. Similarly, firewall FW2 must use the same external IP addressand port to send the packet in step (3) that it will use to commencereceiving the data in step (8). This also will generally happen inpractice, so long as the software at client computer C2 is written tosend the packet in step (3) from, and to receive the data in step (8)at, the same internal IP address and port.

[0025] As will be apparent to those skilled in the art, the method canbe readily adapted to support two-way data transmission between C1 andC2, to support one-to-many data transmission from C1 to client computersC2, . . . , CN, to support many-to-one data transmission from clientcomputers C2, . . . , CN to C1, or to support many-to-many datatransmission among client computers C1, . . . , CN. As well, theinvention has been described with both C1 and C2 protected by firewalls,as that situation provides the clearest description of the invention.However, the method is readily adapted to the situation where only thereceiving client computer is protected by a firewall.

[0026] The designated recipient computer can be any type of computer,including without limitation a designated server, a peer computerinvolved in the data transmission, or a peer computer not involved inthe data transmission.

[0027] As will be apparent to those skilled in the art in light of theforegoing disclosure, many alterations and modifications are possible inthe practice of this invention without departing from the spirit orscope thereof. For example, the possible alterations and modificationsinclude, but are not limited to, the following:

[0028] 1. For robustness against packet loss or delay, C1 and/or C2could send multiple packets to S1 in steps (1) and (3), instead of asingle packet. Packets could be sent until confirmation is received thatS1 has received one of the packets.

[0029] 2. Also for robustness against packet loss or delay, C2 couldsend multiple packets in step (7), instead of a single packet. Packetscould be sent until confirmation is received that FW1 has received oneof the packets.

[0030] 3. The method can also be used when either C1 or C2 uses separateports for sending and receiving UDP data streams. For example, if C1uses h1 for sending UDP data streams and h3 for receiving data streams,firewall FW1 will translate these into f1 and B respectively. C2 wouldhave to send a UDP packet from its receiving port to f1, and C1 wouldhave to send a UDP packet from f3 to the sending port for C2. Thesepackets would open paths over which C1 could send to C2 (through f1),and over which C2 could send to C1 (through f3).

[0031] 4. In the case of two-way communication, and where firewalls FW1and FW2 use the same external ports for both sending and receiving UDPdata, the initial data packets in the data streams can be used as thepackets required to open the paths (as in step (7)). The initial datapackets may be blocked, until a data packet is sent in the otherdirection. However, applications using UDP transmissions are typicallyrobust against packet loss, and the method will work so long as loss ofthe initial data packet or packets is not critical to the application inquestion.

[0032] 5. If firewall FW1 (or FW2) changes the external IP address orport which it uses to transmit UDP data for any reason (such as a longdata transmission or period of silence), the method can be adapted torefresh the data identifying the external IP addresses and ports, tomaintain open transmission paths. For example, if FW1 changes theexternal IP address or port used to transmit UDP data originating fromC1, new packets will be sent periodically to the intermediary server S1as in step (1), above, to identify any new IP address or port being usedby FW1. The remaining steps (2) through (8) can then be repeated usingnew data. All that the method requires is that the same external sendingIP address and port be used by FW1 for a long enough period of time thatthe initial packet sent to S1 in step (1) come from the same IP addressand port as the initial data packets in the UDP data stream.

[0033] 6. In the best mode described above, server S1 is used asintermediary to receive UDP packets originating from C1 and C2, and touse information contained in those packets to identify the externalports being used by FW1 and FW2. However, any other means for informingeach terminal of the other's external ports will also work according tothe invention. For example, C1 and C2 could use different echo servers,S1 and S2, which return any UDP packet to its source. This will permitC1 and C2 to identify F1:f1 and F2:f2, respectively. C1 and C2 could useany other means, such as off-line exchange of information by the users,or TCP transmissions either directly to the other or through a commonserver, to inform each other about F1:f1 and F2:f2.

[0034] 7. The method can be used where client computers communicatethrough a server computer, although the method is not usually needed inthat case, as a client computer generally opens a return path from theserver when it logs on to the server.

[0035] 8. The method can also be used where only the receiving clientcomputer is behind a firewall, but there is no firewall protecting thesending client computer.

[0036] 9. Although the above method has been described in the context ofreal-time audio and video communications using UDP packets, it will beapparent to those skilled in the art that the method has application toother forms of packet based data transmission.

[0037] 10. The method can also be adapted to firewalls which do notcreate one-to-one mappings between internal and external IP addressesand ports, by deducing the mapping scheme from received packets, andthen utilizing the deduced mapping schemes to send the required packetsfrom the external receiving IP addresses and ports of each clientcomputer to the external sending IP addresses and ports of each otherclient computer.

[0038] 11. While the invention has been disclosed in connection with aNAPT firewall, it would also operate in the same manner if firewalls FW1and FW2 are NAT firewalls. In that case, NAT FW1 would translate H1:h1to F1:h1, and NAT FW2 would translate H2:h2 to F2:h2. The method wouldotherwise be identical.

What is claimed is:
 1. A method of transmitting a UDP data packet from afirst computer to a second computer over a wide area computer network,said first computer having a first internal network address and adesignated internal port from which it will transmit the UDP data packetand said second computer having a second internal network address and adesignated internal port at which it will receive the UDP data packet,wherein said first computer is protected by a first firewall whichtranslates said first internal network address to a first externalnetwork address when communicating over said wide area computer network,and said second computer is protected by a second firewall whichtranslate said second internal network address to a second externalnetwork address when communicating over said wide area computer network,said first and second firewalls communicating over said wide areacomputer network, said method using a designated recipient computer incommunication with said first and second computers via said wide areacomputer network, said method comprising: a) said first computer sendinga first UDP data packet to said designated recipient computer using itsdesignated internal transmitting port, and said second computer sendinga second UDP data packet to said designated recipient computer using itsdesignated internal receiving port; b) said designated recipientcomputer communicating said first external network address and saiddesignated internal transmitting port determined from said fist UDP datapacket to said second computer, and communicating said second externalnetwork address and said designated internal receiving port determinedfrom said second UDP data packet to said first computer; c) said secondcomputer sending a UP data packet using its designated internalreceiving port to said first external network address and the designatedinternal transmitting port of said first computer; and d) said firstcomputer sending a UDP data packet using its designated internaltransmitting port to said second external network address and thedesignated internal receiving port of said second computer.
 2. A methodfor permitting two-way transmission of UDP data packets between a firstcomputer and a second computer over a wide area computer network, eachof said first and second computers having an internal network address, adesignated internal port from which it will transmit the UDP datapackets, and a designated internal port at which it will receive the UDPdata packets, wherein said first computer is protected by a firstfirewall which translates said internal network address of said firstcomputer to a first external network address when communicating oversaid wide area computer network, and said second computer is protectedby a second firewall which translates said second internal networkaddress to a second external network address when communicating oversaid wide area computer network, said first and second firewallscommunicating over said wide area computer network, said method using adesignated recipient computer in communication with said first andsecond computers via said wide area computer network, said methodcomprising: a) said first computer sending two UDP data packets to saiddesignated recipient computer, one sent using the designated internaltransmitting port of said first computer and one sent using thedesignated inter receive port of said first computer, and said secondcomputer sending two UDP data packets to said designated recipientcomputer, one sent using the designated internal transmitting port ofsaid second computer and one sent using the designated internalreceiving port of said second computer; b) said designated recipientcomputer communicating said first external network address, designatedinternal transmitting port, and designated internal receiving port ofsaid first computer, determined from said data packets sent from saidfirst computer, to said second computer, and communicating said secondexternal network address, designated internal transmitting port, anddesignated internal receiving port of said second computer, determinedfrom said data packets sent from said second computer, to said firstcomputer; c) said second computer sending a UDP data packet using itsdesignated internal receiving port to said first external networkaddress and designated internal transmitting port of said firstcomputer, and said first computer sending a UDP packet using itsdesignated internal receiving port to said second external networkaddress and designated internal transmitting port of said secondcomputer. d) said first computer sending UDP data packets using itsdesignated internal transmitting port to said second external networkaddress and designated internal receiving port of said second computer,and said second computer sending UDP data packets using its designatedinternal transmitting port to said first network address and designatedinternal receiving port of said first computer.
 3. A method forpermitting two-way transmission of UDP data packets between any two of aplurality of computers over a wide area computer network, each computerhaving an internal network address, a designated internal port fromwhich it will transmit the UDP data packets, and a designated internalport at which it will receive the UDP data packets, wherein eachcomputer is protected by a firewall which translates said internalnetwork address of said computer to an external network address whencommunicating over said wide area computer network, said firewallscommunicating over said wide area computer network, said method using adesignated recipient computer in communication with said plurality ofcomputers via said wide area computer network, said method comprising:a) said plurality of computers sending respective UDP data packets tosaid designated recipient computer using their designated internalreceiving ports, and sending respective UDP data packets to saiddesignated recipient computer using their designated internaltransmitting ports; b) said designated recipient computer communicatingthe respective external network addresses, designated internaltransmitting ports, and designated internal receiving ports determinedfrom said data packets to said plurality of computers; c) a first ofsaid plural of computers having a first external network address sendinga first UDP data packet using its designated internal receiving port toa second external network address and designated internal transmittingport associated with a second of said plurality of computer, and saidsecond of said plurality of computers sending a UDP data packet usingits designated internal receiving port to said first external networkaddress and designated internal transmitting port associated with saidfirst of said plurality of computers; and d) said second computersending UDP data packets using its designated internal transmitting portto said first external network address and designated internal receivingport associated with said first computer, and said first computersending UDP data packets using its designated internal transmittingreport to said second external network address and internal receivingport associated with said second computer.
 4. The method of claims 1, 2or 3 wherein each of said firewalls protecting each of said computersfurther translates said designated internal transmitting and receivingports of each of said computers to external transmitting and receivingports, and: a) in step (b) of claim 1, said designated recipientcomputer communicates said first external network address and externaltransmitting port determined from said first UDP data packet to saidsecond computer and communicates said second external network addressand external receiving port determined from said second UDP data packetto said first computer; b) in step (b) of claim 2 said designatedrecipient computer communicates said first external network address,external transmitting port, and external receiving port of said firstcomputer, determined from said data packets sent from said firstcomputer, to said second computer, and communicates said second externalnetwork address, external transmitting port, and external receiving portof said second computer, determined from said data packets send fromsaid second computer; to said first computer; c) in step (b) of claim 3,said designated recipient computer communicates the respective externalnetwork address, external transmitting ports, and external receivingports determined from said data packets to said plurality of computers;d) in step (c) of claim 1, the UDP data packets sent from said secondcomputer is sent using the designated internal receiving port of saidsecond computer to said first external network address and externaltransmitting port of said first computer; e) in step (c) of claim 2, theUDP data packet sent form said second computer is sent using thedesignated internal receiving port of said second computer to said firstexternal network address and external transmitting port of said firstcomputer, and the UDP data packet sent from said first computer to saidsecond external network address and external transmitting port of saidsecond computer; f) in step (c) of claim 3, said first of said pluralityof computers sends a first UDP packet using its designated internalreceiving port to said second external network address and externaltransmitting port associated with said second of said plurality ofcomputers, and said second of said plurality of computers sends a UDPdata packet using its designated internal receiving port to said firstexternal network address and external transmitting port associated withsaid first of said plurality of computers; g) in step (d) of claim 1,the UDP data packet sent from said first computer is sent using thedesignated internal transmitting port of said first computer to saidsecond external network address and external receiving port of saidsecond computer; h) in step (d) of claim 2, the UDP data packets sentfrom said first computer are sent using the designated internaltransmitting port of said first computer to said second external networkaddress and external receiving port of said second computer, and the UDPpackets sent from said second computer are sent using the designatedinternal transmitting port of said second computer to said firstexternal network address and external receiving port of said firstcomputer, and i) in step (d) of claim 3, said second computer sends UDPdata packets using its designated internal teasing port to said firstexternal network address and external receiving port associated withsaid first computer, and said first computer sends UDP data packetsusing its designated internal transmitting report to said secondexternal network address and external receiving port associated withsaid second computer.
 5. The method of claims 1 to 3 wherein saidfirewalls are NAT firewalls.
 6. The method of claim 4 wherein saidfirewalls arc NAPT firewalls.
 7. The method of claims 1 to 4 whereinsaid data packets consist of live audio/video data sea.
 8. The method ofclaims 1 to 4 wherein said data packets consist of stored audio/videodata.
 9. The method of claims 1 to 4 wherein said data packets consistof the contents of a stored computer file.
 10. The method of claims 1 to4 wherein said dam packets consist of data streams carrying audio/videoconferencing communication.
 11. The method of claims 1 to 4 whereinmultiple data packets are sent by each of said sending computers in step(a) of claims 1, 2, and
 3. 12. The method of claims 1 to 4 whereinmultiple data packets are sent by each of said sending computers in stop(c) of claim 1, step (c) of claim 2 step (c) of claim 3, or steps (d),(e), and (f) of claim
 4. 13. The method of as 1 to 4 wherein multipledata packets are sent by each of said sending computers in step (d) ofclaim 1, step (d) of claim 2, step (d) of claim 3, or steps, (b), and(i) of claim
 4. 14. The method of claims 1 to 3 wherein each of saidcomputers uses the same internal ports for sending and receiving saiddata packets and: (a) the UDP data packets sent by each sending computerare sent using the common internal transmitting and receiving port ofsaid computer; and (b) the UDP data packets sent to each receivingcomputer are sent to the common internal transmitting and receiving portof said computer.
 15. The method of claim 4 wherein each of saidcomputer uses the same internal ports for transmitting and receivingsaid data packets, which internal ports get translated by said firewallsinto the same external ports for sending and receiving said data packetsand: a) the UDP data packets sent by each sending computer are sentusing the common internal transmitting and receiving port of saidcomputer, and b) the UDP data packets sent to each receiving computerare sent to the common external transmitting and receiving port of saidcomputer.
 16. The method of claims 1 to 4 wherein the steps herein arerepeated periodically to accommodate changes in the external ports beingused by some or all of the firewalls.
 17. The method of claims 1 to 4wherein said designated recipient computer is a common server.
 18. Themethod of claims 1 to 4 wherein sad designated recipient computer is apeer computer involved in the data transmission.
 19. The method ofclaims 1 to 4 wherein said designated recipient computer is a peercomputer not involved in the data transmission.
 20. The method of claims1 to 4 wherein: a) said designated recipient computer is an echo server,and said echo server communicates said addresses and ports form each ofsaid UDP data packets transmitted to said designated recipient computerto the computer which was the source of said UDP data packet, and b)said source computers communicate their respective addresses and portsto the other computers over said wide area computer network.
 21. Themethod of claims 1 to 4 wherein said computers communicate through awide area network by transmitting data through a server computer.
 22. Acomputer program product for transmitting a UDP data packet from a firstcomputer to a second computer over a wide area computer network, saidcomputer program debating an internal port from which said firstcomputer will transmit the UDP data packet and designating an internalport at which said second computer will receive the UDP data packet,said first computer having a first internal network address and saidsecond computer having a second internal network address, wherein saidfirst computer is protected by a first firewall which translates saidfirst internal network address to a first eternal network address whencommunicating over said wide area computer network, and said secondcomputer is protected by a second firewall which translates said secondinternal network address to a second external network address whencommunicating over said wide area computer network, said first andsecond firewalls communicating over said wide area computer network,said method using a designated recipient computer in communication withsaid first and second computes via said wide area computer network, saidcomputer program product comprising: a) a computer usable medium havingcomputer read-able program code means embodiment in the medium forcausing said fist computer to send a first UDP data packet to saiddesignated recipient computer using its designated internal transmittingport, and causing said second computer to send a second UDP data packetto said designated recipient computer using its designated internalreceiving port; b) the computer usable medium having computer readableprogram code means embodied in the medium for causing said designatedrecipient computer to communicate said first external network addressand said designated internal transmitting port determined from saidfirst UDP data packet to said second computer, and to communicate saidsecond external network address and said designated internal receivingport determined from said second UDP data packet to said fist computer;c) the computer usable medium having computer readable program codemeans embodied in the medium for causing said second computer to send aUDP data packet using its designated internal receiving port to saidfirst external network address and designated internal transmitting potof said first computer, and d) the computer usable medium havingcomputer readable program code means embodied in the medium for causingsaid first computer to send a UDP data packet using its internaltransmitting port to said second external network address and designatedinternal receiving port of said second computer.
 23. A computer programproduct for permitting two-way transmission of data packets between afirst computer and a second computer over a wide area computer network,said computer program designating for each said computer an internalport from which said computer will transmit the UDP data packets anddesignating for each said computer an internal port at which saidcomputer will receive the UDP data packets, each of said computershaving an internal network address, wherein said first computer isprotected by a first firewall which translates said first internalnetwork address to a first external network address when communicatingover said wide area computer network, and said second computer isprotected by a second firewall which translates said second internalnetwork address to a second external network address when communicatingover said wide area computer network said first and second firewallscommunicating over said wide area computer network, said method using adesignated recipient computer in communication with said first andsecond computers via said wide area computer network, said programincluding. a) a computer usable medium having computer read-able programcode means embodied in the medium for causing said first computer tosend two UDP data packets to said designated recipient computer, onesent using the designated internal transmitting port of said firstcomputer and one sent using the designated internal receiving port ofsaid first computer, and causing said second computer to send two UDPdata packets to said designated recipient computer, one sent using thedesignated internal transmitting port of said second computer and onesent using the designated internal receiving port of said secondcomputer, b) the computer usable medium having computer readable programcode means embodied in the medium for causing said designated recipientcomputer to communicate said first external network address, designatedinternal transmitting port, and designated internal receiving port ofsaid first computer, determined from said data packets sent from saidfirst computer, to said second computer, and to communicate said secondexternal network address, designated internal transmitting port anddesignated internal receiving port of said second computer, determinedfrom said data packets sent from said second computer, to said firstcomputer, c) the computer usable medium having computer readable programcode means embodied in the medium for causing said second computer tosend a UDP data packet using its designated internal receiving port tosaid first external network address and designated internal transmittingport of said first computer, and causing said first computer to send aUDP packet using its designated internal receiving port to said secondexternal network address and designated internal transmitting port ofsaid second computer, and d) the computer usable medium having computerreadable program code means embodied in the medium for causing saidfirst computer to send UDP data packets using its designated internaltransmitting port to said second external network address and designatedreceiving port of said second computer, and causing said second computerto send UDP its packets using its designated internal transmitting portto said first external network address and designated internal receivingport of said first computer.
 24. A computer program product forpermitting two-way transmission of UDP data packets between any two of aplurality of computers over a wide area computer network, said programdesignating for each computer of said plurality of computers an internalport from which it will transmit the UDP data packets and an internalport at which it will receive the UDP data packets, each computer havingan internal network address, wherein each computer is protected by afirewall which translates said internal address of said computer to anexternal network address when communicating over said wide area computernetwork, said firewalls communicating over said wide area computernetwork, said method using a designated recipient computer incommunication with said plurality of computers via said wide areacomputer network, said program including: a) a computer usable mediumhaving computer read-able program code means embodied in the medium forcausing each computer of said plurality of computers to send respectiveUDP data packets to said designated recipient computer using theirdesignated internal receiving ports, and to send respective UDP datapackets to said designated recipient computer using their designatedinternal transmitting ports; b) a computer usable medium having computerread-able program code means embodied in the medium for causing saiddesignated recipient computer to communicate the respective externalnetwork addresses, designated internal transmitting ports, and designedinternal receiving ports determined from said data packet to saidplurality of computers; c) a computer usable medium having computerread-able program code means embodied in the medium or causing a firstof said plurality of computers having a first external network addressto send a first UDP data packet using its designated internal receivingport to a second external network address and designated internaltransmitting port associated with a second of said plurality ofcomputers, and causing said second of said plurality of computers tosend a UDP daft packet using it designated internal receiving port tosad first external network address and designated internal transmittingport associated with said first of said plurality of computers; and d) acomputer usable medium having computer read-able program code meansembodied in the medium for causing said second computer to send UDP datapackets using its designated internal transmitting port to said firstexternal network address and design internal receiving port associatedwith said first computer, and causing said first computer to send UDPdata packets using its designated internal transmitting report to saidsecond external network address and internal receiving port associatedwith said second computer.
 25. The computer program of claims 22, 23, or24 wherein each of said computers is protected by a firewall whichfurther translates said designated internal transmitting and receivingports of each said computers to designated external transmitting andreceiving ports, and: a) in step (b) of claim 22, said designatedrecipient computer communicates said first external network address andexternal transmitting port determined from said first UDP data packet tosaid second computer and communicates said second external networkaddress and external receiving port determined from said second UDP datapacket to said first computer, b) in step (b) of claim 23 saiddesignated recipient computer communicates said first external networkaddress, external transmitting port, and external receiving port of saidfirst computer, determined from said data packets sent from said firstcomputer, to said second computer, and communicates said second externalnetwork address, external transmitting port, and external receiving portof said second computer, determined from said data packets sent fromsaid second computer, to said first computer. c) in step (b) of claim24, said designated recipient computer communicates the respectiveexternal network addresses, external transmitting ports, and externalreceiving ports determined from said data packets to said plurality ofcomputers; d) in step (c) of claim 22, the UDP data packet sent fromsaid second computer is sent using the designated internal receivingport of said second computer to said first external network address andexternal transmitting port of said first computer; e) in step (c) ofclaim 23, the UDP data packet sent from said second computer is sentusing the designated internal receiving port of said second computer tosaid first external network address and external transmitting port ofsaid first computer, and the UDP data packet lent from said firstcomputer is sent using the designated internal receiving port of saidfirst computer to the second external network address and externaltransmitting port of said second computer, f) in step (c) of claim 24,said first of said plurality of computers sends a first UDP packet usingits designated internal receiving port to said second external networkaddress and external transmitting port associated with said second ofsaid plurality of computers and said second of said plurality ofcomputers sends a UDP data packet using its designated internalreceiving port to said first external network address and externaltransmitting port associated with said first of said plurality ofcomputers; g) in step (d) of claim 22, the UDP data packet sent fromsaid first computer is sent using the designated internal transmittingport of said first computer to said second external network address andexternal receiving port of said second computer; h) and in step (d) ofclaim 23, the UDP data packets sent from said first computer are sentusing the designated internal transmitting port of said first computerto said second external network address and external receiving port ofsaid second computer, and the UDP packets sent from said second computerare sent using the designated internal transmitting in port of saidsecond computer to said first external network address and externalreceiving port of said first computer; and i) in step (d) of claim 24,said second computer sends UDP data packets using its designatedinternal transmitting port to said first external network address andexternal receiving port associated with said first computer, and saidfirst computer sends UDP data packets using its desired internaltransmitting report to said second external network address and externalreceiving port associated with said second computer.
 26. The computerprogram product of claims 22 to 25 wherein said real-time media deliveryinvolves live audio/video data.
 27. The computer program product ofclaims 22 to 25 wherein the said real-time media delivery involvesstored on-demand streamed audio/video data.
 28. The computer programproduct of claims 22 to 25 wherein the said real-time media deliverinvolves the contents of a stored computer file.
 29. The computerprogram product of claims 22 to 25 wherein the said real-time mediadelivery involves audio/video conferencing communication.
 30. Thecomputer program product of claims 22 to 25 wherein the program causesthe computer on which the computer program is operating to send a UDPdata packet to an intermediary for the purpose of identifying the extendsending port which will be assigned to it, and receives data from theintermediary to identify the external receiving port assigned to theother participant.
 31. A system for transmitting a UDP data packetbetween two firewall-protected computers over a wide area network, saidsystem comprising: a) first and second computers adapted to communicateover a wide area computer network wherein said first computer has afirst internal network address and a designated internal port fortransmitting said UDP data packet and said second computer has a secondinternal network address and a designed internal port for receiving saidUDP data packet, wherein said first computer is protected by a firstfirewall which translates said fist internal network address anddesignated internal transmitting port to a first external networkaddress and external transmitting port when communicating over said widearea network and said second computer is protected by a second firewallwhich translates said second internal network address and designatedinternal receiving port to a second external network address andexternal receiving port when communicating over said wide area networksaid first and second firewalls communicating over said wide areacomputer network; b) a designated recipient computer in communicationwith said first and second computers via said wide area computernetwork; wherein said first and second computers comprise means forsending first and second UDP data packets to said designated recipientcomputer; said first computer sends said first UDP data packet using itsdesignated internal transmitting port and said second computer sendssaid second UDP data packet using its designated internal receivingport; said designated recipient computer comprises means forcommunicating said first external network address and externaltransmitting port determined from said first UDP data packet to saidsecond computer and communicating said second external network addressand external receiving port determined from said second UDP data packetto said first computer; said second computer comprises means for sendinga UDP data packet using its internal receiving port to said firstexternal network address and the comprising means for sending a UDP datapacket using its internal transmitting report to said second externalnetwork address and the external receiving port of said second computer.32. The method of computer program of claims 1 to 31 wherein said datapackets consist of data packets transmitted through a connectionless ordatagram-type transmission protocol other than UDP.